In Outlook server doesn't support the encryption method specified error

IRZQ88

Active Member
Sep 18, 2016
26
4
3
Indonesia
cPanel Access Level
Root Administrator
Yesterday when i setup a new VPS server, after migrating and changing nameserver, my client cannot send nor receive emails from my VPS server through Outlook. Doesn't matter which Outlook version, but if it using Windows 7 OS PC, i'll get an error 0x800CCC1A that saying my server doesn't support the encryption method specified. But if it using Windows 10, it can receive and sent emails normally.

I even had copy my Exim configuration from the old VPS using transfer tools, but the result is the same. Then i'm trying to update the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" as this posting mentioned, but the result still the same, nothing change, my clients with Windows 7 OS still couldn't send nor receive email with the same errors.

FYI, I've attached my settings screenshot below and I'm using cPanel version 72.0.7.

So finally I've decided to change my nameserver to my old VPS, and it works normally for Windows 7 or Windows 10. This is very weird! :(

Anybody could help please? Thank you.
 

Attachments

Last edited:

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:
Code:
SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3
Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]
Code:
Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike
 
  • Like
Reactions: IRZQ88

IRZQ88

Active Member
Sep 18, 2016
26
4
3
Indonesia
cPanel Access Level
Root Administrator
Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:
Code:
SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3
Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]
Code:
Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike
Thanks for the fast response Mike! But sorry, i don't understand what do you mean by this one?:

Code:
Dovecot:

SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Dovecot is the IMAP/POP3 server, and you need to make sure that it's SSL/TLS settings work with Outlook as well.

WHM --> Service Configuration --> Mailserver Configuration

In there you'll see the SSL Cipher List and SSL Protocols sections if you are running Dovecot.

If you are just making changes to Exim, that only handles any issues you may have been having _sending_ mail with Outlook. If you have issues _receiving_ mail with Outlook, that's all Dovecot.

Mike
 

IRZQ88

Active Member
Sep 18, 2016
26
4
3
Indonesia
cPanel Access Level
Root Administrator
Dovecot is the IMAP/POP3 server, and you need to make sure that it's SSL/TLS settings work with Outlook as well.

WHM --> Service Configuration --> Mailserver Configuration

In there you'll see the SSL Cipher List and SSL Protocols sections if you are running Dovecot.

If you are just making changes to Exim, that only handles any issues you may have been having _sending_ mail with Outlook. If you have issues _receiving_ mail with Outlook, that's all Dovecot.

Mike
I see.. Thanks Mike for this great explanation! I'll update the result here soon! :)
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
You should also read the following thread [to make sure your Windows 7 is as up to date as it can be with regard to supporting various SSL/TLS options, etc. After all, the only ones with problems sending/receiving emails with the cPanel-preferred SSL/TLS settings for services are those running outdated operating systems, operating systems that haven't been updated, or email clients that haven't been updated. If you can fix the email client / client computer, you don't have to lower security on the server side.

Outlook 2016 Sending Email Fails After Cipher Suite Update

Mike
 
Last edited:

IRZQ88

Active Member
Sep 18, 2016
26
4
3
Indonesia
cPanel Access Level
Root Administrator
You should also read the following thread [to make sure your Windows 7 is as up to date as it can be with regard to supporting various SSL/TLS options, etc. After all, the only ones with problems sending/receiving emails with the cPanel-preferred SSL/TLS settings for services are those running outdated operating systems, operating systems that haven't been updated, or email clients that haven't been updated. If you can fix the email client / client computer, you don't have to lower security on the server side.

Outlook 2016 Sending Email Fails After Cipher Suite Update

Mike
Okay, Once again thanks for your help! :)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,259
313
Houston

IRZQ88

Active Member
Sep 18, 2016
26
4
3
Indonesia
cPanel Access Level
Root Administrator
Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:
Code:
SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3
Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]
Code:
Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike
Thanks a lot Mike! This actually works!!! I don't believe this!!! :D

Hello @IRZQ88

I also want to point out that rather than allow SSLv2 or SSLv3 you should first have your client add the Microsoft patch for TLSv1.2 https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

Win 7 did not come with support for this originally and usually installing the patch they provide will allow the connection to be successful while still maintaining a secure environment.

Thanks!
I see, Okay I'll check it up asap! Thank you Lauren!